Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-12000

Secure webhook consumers with signature

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.8
    • Component/s: Webhook
    • Labels:
      None
    • Estimate:
      Hours
    • Edition:
      Community
    • Production Notes:
      None

      Description

      Why

      On SonarCloud, consumers of webhooks should verify that the received payloads are initiated by SonarCloud and not by hackers. This check is currently handled by rejecting the IPs that are not in the documented white-list.

      This approach works well but is complex:

      • requires infrastructure changes on user side (firewall)
      • the list of IPs is a constraint for operating the web servers and compute engines that send webhooks. It's more or less hardcoded and changes are hard to apply.
      • it's not the mechanism recommended by services like Github (doc) or paymentsos (doc)

      On SonarQube checking origin of webhooks makes sense too.

      What

      Consumers should compute the signature of the received payload and compare it with the value of the response HTTP header X-Sonar-Webhook-HMAC-SHA256. A shared secret is defined on the organisation settings and is used to compute the signature.

      The same strategy is implemented at Github and Heroku.

      How

      • Deprecate the list of public IPs by adding a warning to the documentation. The list of public IPs will be removed from documentation on 1st of June 2019
      • Add the optional parameter secret to POST api/webhooks/create and POST api/webhooks/update.
      • Return the secret in GET api/webhooks/list
      • If secret is set, add the header X-Sonar-Webhook-HMAC-SHA256 to the HTTP request
      • Add the secret field to the administration console. Note that Github console does not display the secret value by default, even if value is accessible in the HTML code. It requires to click on the button "Edit" (see attached screenshot).
      • Complete documentation. The Java code that validates the received signature looks like:
        private static boolean isValidSignature(YourHttpRequest request) {
          String receivedSignature = request.getHeader("X-Sonar-Webhook-HMAC-SHA256");
          // See Apache commons-codec
          String expectedSignature = new HmacUtils(HmacAlgorithms.HMAC_SHA_256, "your_secret").hmacHex(request.getBody())
          return Objects.equals(expectedSignature, receivedSignature);  
        }
        

        Attachments

          Activity

            People

            • Assignee:
              simon.brandhof Simon Brandhof (Inactive)
              Reporter:
              simon.brandhof Simon Brandhof (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: